From common-commits-return-98701-apmail-hadoop-common-commits-archive=hadoop.apache.org@hadoop.apache.org  Sat May  2 12:54:27 2020
Return-Path: <common-commits-return-98701-apmail-hadoop-common-commits-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-commits-archive@www.apache.org
Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by minotaur.apache.org (Postfix) with SMTP id 9A856192D4
	for <apmail-hadoop-common-commits-archive@www.apache.org>; Sat,  2 May 2020 12:54:27 +0000 (UTC)
Received: (qmail 65759 invoked by uid 500); 2 May 2020 12:54:26 -0000
Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org
Received: (qmail 65726 invoked by uid 500); 2 May 2020 12:54:26 -0000
Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-commits-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-commits-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-commits@hadoop.apache.org>
List-Id: <common-commits.hadoop.apache.org>
Delivered-To: mailing list common-commits@hadoop.apache.org
Received: (qmail 65717 invoked by uid 99); 2 May 2020 12:54:26 -0000
Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 May 2020 12:54:26 +0000
Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33)
	id 5C4708BFAB; Sat,  2 May 2020 12:54:26 +0000 (UTC)
Date: Sat, 02 May 2020 12:54:26 +0000
To: "common-commits@hadoop.apache.org" <common-commits@hadoop.apache.org>
Subject: [hadoop] branch branch-3.3.0 updated: SPNEGO TLS verification
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <158842406611.11714.13054598435044531071@gitbox.apache.org>
From: aajisaka@apache.org
X-Git-Host: gitbox.apache.org
X-Git-Repo: hadoop
X-Git-Refname: refs/heads/branch-3.3.0
X-Git-Reftype: branch
X-Git-Oldrev: 80fec40499adcc20cfd7a21f5232c3cd363c46d0
X-Git-Newrev: 3bf7cd0030f217ae2c751a1dee68417e6ebc38bd
X-Git-Rev: 3bf7cd0030f217ae2c751a1dee68417e6ebc38bd
X-Git-NotificationType: ref_changed_plus_diff
X-Git-Multimail-Version: 1.5.dev
Auto-Submitted: auto-generated

This is an automated email from the ASF dual-hosted git repository.

aajisaka pushed a commit to branch branch-3.3.0
in repository https://gitbox.apache.org/repos/asf/hadoop.git


The following commit(s) were added to refs/heads/branch-3.3.0 by this push:
     new 3bf7cd0  SPNEGO TLS verification
3bf7cd0 is described below

commit 3bf7cd0030f217ae2c751a1dee68417e6ebc38bd
Author: Eric Yang <eyang@apache.org>
AuthorDate: Tue Mar 31 13:37:55 2020 -0400

    SPNEGO TLS verification
    
    Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
    (cherry picked from commit ba66f3b454a5f6ea84f2cf7ac0082c555e2954a7)
    (cherry picked from commit 0f27c04c23c53f625ecea75ed914375eaf6b9538)
---
 .../main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index d0b10cb..202cde4 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -152,6 +152,7 @@ public class WebHdfsFileSystem extends FileSystem
       + "/v" + VERSION;
   public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
   public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
+  public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
 
   /**
    * Default connection factory may be overridden in tests to use smaller
@@ -181,6 +182,7 @@ public class WebHdfsFileSystem extends FileSystem
 
   private DFSOpsCountStatistics storageStatistics;
   private KeyProvider testProvider;
+  private boolean isTLSKrb;
 
   /**
    * Return the protocol scheme for the FileSystem.
@@ -242,6 +244,7 @@ public class WebHdfsFileSystem extends FileSystem
           .newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
     }
 
+    this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
 
     ugi = UserGroupInformation.getCurrentUser();
     this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
@@ -699,6 +702,11 @@ public class WebHdfsFileSystem extends FileSystem
       //redirect hostname and port
       redirectHost = null;
 
+      if (url.getProtocol().equals(getTransportScheme()) &&
+        UserGroupInformation.isSecurityEnabled() &&
+        isTLSKrb) {
+        throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
+      }
 
       // resolve redirects for a DN operation unless already resolved
       if (op.getRedirect() && !redirected) {


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org